A recent incident with the Facebook Bug Bounty program has led to many different reactions supporting both Facebook and the security researcher. Regardless of who is right in this whole story, the one fact is clear: the researcher went far beyond what Facebook had initially expected, and got access to the sensitive data Facebook didn’t really want to share with anybody including the researchers' community.

These days Bug Bounties become very popular, raising more and more questions about their efficiency and effectiveness. We will try to understand how and if Bug Bounties can be used to test your corporate web applications. I intentionally omit bug bounties for stand-alone software (e.g. Chrome or various IoT applications) as it's a different topic.